| blob | b0ccf495c7eb06a8a615355cc4c5582c1e58d195 |
1 { config, lib, pkgs, ... }:
2 let cfg = config.nix.sshServe;
3 command =
4 if cfg.protocol == "ssh"
5 then "nix-store --serve ${lib.optionalString cfg.write "--write"}"
6 else "nix-daemon --stdio";
7 in {
8 options = {
10 nix.sshServe = {
12 enable = lib.mkOption {
13 type = lib.types.bool;
14 default = false;
15 description = "Whether to enable serving the Nix store as a remote store via SSH.";
16 };
18 write = lib.mkOption {
19 type = lib.types.bool;
20 default = false;
21 description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the {option}`nix.settings.trusted-users` option in most use cases, such as allowing remote building of derivations.";
22 };
24 keys = lib.mkOption {
25 type = lib.types.listOf lib.types.str;
26 default = [];
27 example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
28 description = "A list of SSH public keys allowed to access the binary cache via SSH.";
29 };
31 protocol = lib.mkOption {
32 type = lib.types.enum [ "ssh" "ssh-ng" ];
33 default = "ssh";
34 description = "The specific Nix-over-SSH protocol to use.";
35 };
37 };
39 };
41 config = lib.mkIf cfg.enable {
43 users.users.nix-ssh = {
44 description = "Nix SSH store user";
45 isSystemUser = true;
46 group = "nix-ssh";
47 shell = pkgs.bashInteractive;
48 };
49 users.groups.nix-ssh = {};
51 services.openssh.enable = true;
53 services.openssh.extraConfig = ''
54 Match User nix-ssh
55 AllowAgentForwarding no
56 AllowTcpForwarding no
57 PermitTTY no
58 PermitTunnel no
59 X11Forwarding no
60 ForceCommand ${config.nix.package.out}/bin/${command}
61 Match All
62 '';
64 users.users.nix-ssh.openssh.authorizedKeys.keys = cfg.keys;
66 };
67 }